24 March 2006

Availability Bias: The Risk of Low Probabilities...

Should corporate America be concerned about weapons of mass destruction? How do you prepare for risks beyond your own workplace? Rad Jones from the School of Criminal Justice, Michigan State University, recently talked about a critical incident exercise he has prepared exclusively for CSO Magazine.

Rad Jones, formerly with the Secret Service and later on security projects with Ford Motor Company, emphasizes that you don't have a plan unless it has been exercised. This is especially true if you have not involved the local first responders in the local area. Role playing in exercises on scenarios that are real world and done on premises is a key component of the preparedness equation. What is left out in many instances during the exercise with the local police, fire or EMS is the Incident Command with the top brass or executives who may be in other locations across the country or the globe. This was witnessed in the Hurricane Katrina catastrophe.

Every metro area in harms way has the ability to do these exercises even on a micro basis. The single 15 story building, the business park surrounding the suburban mall or hotels and even a square block in a downtown city location is a good start. This coordination, planning and continuity builds a new level of resilience into the fabric of the community. This effort has been going on since 2003 with a consortium in Chicago, IL called ChicagoFIRST. This particular effort was spearheaded by the large financial institutions in the city who wanted to get a say and a seat inside the JOC (Joint Operations Center).

The spirit of ChicagoFIRST is spreading with the launch of WashingtonDCFIRST, a consortium based in the Wasington DC metro area. This project will be focused on the critical infrastructure private sector and the relevant interfaces to the local first responder jurisdictions. Collaboration with the Council of Governments (COG) will add the planning already underway for the past few years on issues such as interoperability and credentialing. As an example, the FCC has adopted a plan to establish a Public Safety and Homeland Security Bureau. The new Bureau is designed to provide a more efficient, effective, and responsive organizational structure to address public safety, homeland security, national security, emergency management and preparedness, disaster management, and other related issues.Unlike other private sector initiatives, WashingtonDCFIRST will involve all the critical infrastructure sectors and the private companies who represent the largest employers around the beltway including: Pepco, Verizon, Washington Gas, Exxon Mobil, AOL, and the Water Utilities. Much of the focus will be on availability bias.

Availability bias is why the U.S. has spent the past four years focusing on scenarios involving terrorism, after the so-called failure of imagination that preceded 9/11. What have politicians and citizens done for the past four years if not imagine terrorism?

And it's why many observers are now questioning whether the country should have spent that time planning not for terrorism but instead for other potential catastrophes. Like a deadly pandemic. Or major earthquake. Or hurricanes.

"One of the key dangers is that people are always focusing on the last catastrophe," says Robert Muir-Wood, the London-based chief research officer for Risk Management Solutions, which does economic risk modeling for the insurance industry. "It's a big challenge to keep everything in perspective and not be biased by what has last happened."

A true risk-based approach means that, when all else is equal, one must override the availability bias and focus on the most likely future scenarios. Unfortunately, figuring out the probability of any given scenario raises its own set of complexities.

The most probable risks that you train and exercise for, will be the incidents that you will be most prepared to handle. Suffice it to say, that the risks that you don't plan for because they are too low probability, will be the incidents or catastrophes that catch you off guard. Think about it. Not preparing and training for the low probability scenarios could cost you millions or billions and maybe your life.

No comments:

Post a Comment

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke